#!/sbin/openrc-run
# This file is part of Fail2Ban.
#
# Fail2Ban is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# Fail2Ban is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with Fail2Ban; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
#
# Author: Sireyessire, Cyril Jaquier
#

description="Ban hosts that cause multiple authentication errors"
description_reload="reload configuration without dropping bans"
extra_started_commands="reload"

# Can't (and shouldn't) be changed by the end-user.
#
# Note that @BINDIR@ is already supplied by the build system. Some
# day, it might be nice to have @RUNDIR@ supplied by the build system
# as well, so that we don't have to hard-code /run here.
FAIL2BAN_RUNDIR="/run/${RC_SVCNAME}"
FAIL2BAN_SOCKET="${FAIL2BAN_RUNDIR}/${RC_SVCNAME}.sock"

# The fail2ban-client program is also capable of starting and stopping
# the server, but things are simpler if we let start-stop-daemon do it.
command="@BINDIR@/fail2ban-server"
pidfile="${FAIL2BAN_RUNDIR}/${RC_SVCNAME}.pid"

# We force the pidfile/socket location in this service script because
# we're taking responsibility for ensuring that their parent directory
# exists and has the correct permissions (which we can't do if the
# user is allowed to change them).
command_args="${FAIL2BAN_OPTIONS} -p ${pidfile} -s ${FAIL2BAN_SOCKET}"
retry="30"

depend() {
	use logger
	after iptables nftables
}

checkconfig() {
    "${command}" ${command_args} --test
}

start_pre() {
	# If this isn't a restart, make sure that the user's config isn't
	# busted before we try to start the daemon (this will produce
	# better error messages than if we just try to start it blindly).
	#
	# If, on the other hand, this *is* a restart, then the stop_pre
	# action will have ensured that the config is usable and we don't
	# need to do that again.
	if [ "${RC_CMD}" != "restart" ] ; then
		checkconfig || return $?
	fi
	checkpath -d "${FAIL2BAN_RUNDIR}"
}

stop_pre() {
	# If this is a restart, check to make sure the user's config
	# isn't busted before we stop the running daemon.
	if [ "${RC_CMD}" = "restart" ] ; then
		checkconfig || return $?
	fi
}

reload() {
	# The fail2ban-client uses an undocumented protocol to tell
	# the server to reload(), so we have to use it here rather
	# than e.g. sending a signal to the server daemon. Note that
	# the reload will fail (on the server side) if the new config
	# is invalid; we therefore don't need to test it ourselves
	# with checkconfig() before initiating the reload.
	ebegin "Reloading ${RC_SVCNAME}"
	"@BINDIR@/fail2ban-client" ${command_args} reload
	eend $? "Failed to reload ${RC_SVCNAME}"
}
